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SECURITY SERVICES AND POLICY the source of the data. Electronic certificates are also fre- 

ENFORCEMENT FOR ELECTRONIC DATA queaUy combined with encryption of the data to provide a 

minimal level of security for the data. However, nothing in 
the certificate prevents someone from redistributing the data 
FIELD OF THE INVENTION s as their own work, or from modifying the data. 

T,. . . . „ .... ^ One approach to memorializing the creation of electronic 

This mvention relates generally to authenUc^Ung and data uses an encryption routine, often referred to as a 
yahdatmg electronic data, and more particularly to provid- "one-way hash," to reduce the electronic data to a unique 
ing security for, and enforcing restrictions on the use of, number-letter combination, or hash value, from which the 
electronic data. data itself cannot be reproduced. The hash is then sent to a 

COPYRIGHT NOTICE/PERMISSION hl'^h^f '^''^ which gives each hash value a sequence 

number based on the order in which it is received. If a 

A portion of the disclosure of this patent document second person hashes the same data with the same hash 

contains material which is subject to copyright protection. algorithm (producing the same hash value) and sends the 

The copyright owner has no objection to the facsimile is hash value to the same third-party service, the sequence 

reproduction by anyone of the patent document or the patent number of the second hash value is greater than that of the 

disclosure as it appears in the Patent and Trademark Office first. The trusted party publishes the hash values and the 

patent file or records, but otherwise reserves all copyright sequence numbers. A receiver of the electronic data gener- 

rights whatsoever. The following notice appUes to the soft- *tes the hash value and matches it against the published list 

ware and data as described below and in the drawing hereto: 20 determine of more than one sequence number has been 

Copyright© 1997, Microsoft Corporation, All Rights assigned. The receiver of the data is responsible for deter- 

Reserved. mining if the data it received originated with the author 

because the third-party service does not authenticate the 

BACKGROUND OF THE INVENTION senders. 

Electronic data is inherendy intangible and not easily ^5 Thus, an author must make sure to register the hash before 

identifiable as to its origin, date of creation, or what restric- electronic data is released publicly. Furthermore, if the 

tions may apply to it. Computer users frequenUy download ^^<^^^ Person sends the second hash value to a different 

software appUcations from the Internet but in many cases the ^""d-party service, the sequence numbers cannot be com- 

user cannot tell if the appUcatioo is authored by the owner indicate the time and/or date of the 

of the download site or by someone else. Information, such ^° submission. 

as news articles, short stories, jokes and cartoons, is also Therefore, what is needed is a mechanism to guarantee the 

available for download but the user often cannot tell if the authenticity and validity of electronic data, to enforce use 

information has been posted with the permission of the restrictions on the data, to memorialize the creation of the 

author, or if the information can be reused or modified data, and to do so without requiring the author or the 

without interfering with someone's intellectual property recipient to understand complicated encryption schemes. 

^S^^^' SUMMARY OF THE INVENTION 

rn^tl\fr^nn^^^ data distributed on "hard" 'n.e above-mentioned shortcomings, disadvantages and 

Snr^eLd^^^^^^ ^u^^ '^'TT'' '^^'^^ presenri;vention, which will 

LlSe?^^^^^^^^ - be^r^^^^^ 

TeS^gt^^^^^^^^ , ^-i^y ™ and policy enforcement for electronic 

A .< ui- 1 L. ■ . , „ . . provided through a series of transactions amons a 

A public key/pnvate key approach has been employed server and clients using electronic certificates which are 
to address Uie problems of authenUcaUon and validation of ,5 associated with the electronic data. A first client, an author 

electronic data. In a public key/private key scheme, the ororiginatorof electronic data, generates* digest of the data 

c»n°nTh , r ^r'' .k'^; 'Tb^.f '^jyPted using a one-way hashing algorithm, creates I request for a 

data can on y be decrypted using the author's pubhc key. If security certificate specifying type of security l>d poUcy 

the recipient uses the pubhc key and the use of the public key kvel, and sends the 4urUy «itificate request and di^t to 

properly decrypts the encrypted data the recipient can be jp the server of a trusted arbitrator. Hie server authentiwL the 

certain the data originated with the author. For extra security, fi^t client, registers, timestamps and logs the certificate and 

the data can be encrypted several times, using layeis of digest, and letutns an electronically signed confirmation 

public and pnvate keys of both the auttior and recipient. The «ce^t to the first client. The confirmation receipt 

process quickly becomes comphcated and prone to error. the digest and the first client can optionally insert the receipt 

Similar encryption sdiemes have been used to require a 55 into the security certificate. The first client combines the 

user to register or pay a fee for the use of the electronic dau. security certificate with the data, and distributes the combi- 

Tbe data is encrypted and the author only provides the nation as a distribution unit. 

decrypting toy upon registration or payment. Such limited A second client, a user, acquires the distribution unit 

licensing enforcement has not been successful, however. extracts the data from the distribution unit, and generates a 

because, ainong other reasons many users want to review ^ digest from the data using the same hashing algorithm, 

the data before registenng and find the decryption process When the security certificate contains the digest generated 

confusmg. by the first client, the second client compares the digests. If 

Electronic certificate authorities, such as Verisign, Inc.. the digests match, the distribution unit acquired by the user 

provide for some authentication of electronic data by sup- is valid. If the digests do not match, the file cannot be 

plying individuals and companies with certificates which 65 validated. 

uniquely identify the individual or company. "Rie author If the security certificate does not contain a signed con- 

mchides the certificate with the electajnic data to identify firmation receipt or the user cannot validate the signature, 
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the user submits the digest to the server. The server com- DETAILED DESCRIPTION OF THE 

pares the digest generated by the user with the bgged digest. INVENTION 

If the digests match, the distribution unit acquired by the the following detailed description of exemplary 

user IS valid and the server returns a valid message. If the embodiments of the invenUon, reference is made to the 
digests do not match, the server returns an invalid message. 5 accompanying drawings which form a part hereof, and in 

Depending on the certificate type and policy level, the which is shown by way of illustration specific exemplary 

server provides other services to the clients, sucb as notifi- embodiments in which the invention may be practiced, 

cation of updates to the data, notification of improper user of These embodiments are described in sufficient detail to 

the daU, and payment for the use of the data. enable those skilled in the art to practice the invention, and 

The supporting fiinctions for the clients are automatically ^ iinderstood that other embodiments may be utilized 

provided by modules, or components, in standard software ^ - "^^^f^^^^r ^^^^^"^^) ^^^g^^ 

so the author and the user do not have to concern themselves ^'f without deputing from the spmt or scope of 

with complicated encryption/decryption schemes. Hie Present invention The foUowmg detailed descnpUon is, 

server functions are additional componente to server soft- f be taken m a ImiiUng sense, and the scope 

ware that already provides electronic certificates. ""f f^^ invention is defined only by the appended 

_ , . . claims. 

Hius, the present mvention guarantees the authenticity xk« A^tr.;^^A A^^^^^r • j • * ^ 

and vaUdity of ihe electronic dala and enforces use restric- .uJJ' t^^'f t h^^h r"^ 

tions on the data through the use of the certificates. !»»^ ^'^""n. t^e hardware airi the operating envyomnM 
Furthermore, because theferver has authenticated the first ^ rvT^r^^c^^rTSl Z^T °^ 

client prior to creating the certificate, and time stamps the Zlt ^^T^ ^ ^ , ^ T^- ""'^Tu* 

, . 4U 1 I J. , 7:/^ system level overview of an exemplary embodiment of the 

digest that is generated from the electronic data along with t« »u * ^ 

the security certificate, the verification log serves to memo- ^^^^ ^ ^^'^ ^^'^ 
rialize the fii^t client and creation time of the data. exemplary embodiment of the mvenUon are provided. In the 
^ J fourth section, a particular Intemet unplementation of the 
The present mvention descnbes systems, chents, servers, 2S invention is described. Finally, in the fifth section, a con- 
methods, and computer-readable media of varying scope. In chision of the detailed description is provided, 
addition to the aspects and advantages of the present inven- 
tion described in this summary, further aspects and advan- Hardware and Operating Environment 
tages of the invention will become apparent by reference to FIG. 1 is a diagram of the hardware and operating 
the drawings and by reading the detailed description that 30 environment in conjunction with which embodiments of the 
follows. invention may be practiced. The description of FIG. 1 is 
T^nrr^r^ w^r.o^,«^^^T «^ intended to provide a brief, general description of suitable 
BRIEF DESCRIPTION OF THE DRAWINGS computer hardware and a suitable computing environment in 
FIG. I shows a diagram of the hardware and operating conjunction with which the invention may be implemented, 
environment in conjunction with which embodiments of the 35 Although not required, the invention is described in the 
invention may be practiced* general context of computer-executable instmctions, such as 

FIGS. 2A and 2B are diagrams illustrating a system-level ZT"^, """"^"f ' ^""T^"^ ' '''"'^'i^^f' '^^^ ' 

overviewofanexemplaryfmbodimentofTheiTvention; Zl^l^ IT * w"f''' ^'"^'"^^ "^''"'^ 

rnn ^n.. ui 1 ^* * . rouUnes, programs, objects, components, data structures, 

mG.2Cisablockdiagramof oiieexemplary embodiment etc., that perform particular tasks or implement particular 

of a verification log for use with all exemplary embodiment abstract data types. 

o e mvenUon, Moreover, those skilled in the art will appreciate that the 

FIG. 2D is a block diagram of a one exemplary embodi- invention may be practiced with other computer system 

ment of a secunty certificate for use with all exemplary configurations, inchiding hand-held devices, multiprocessor 
embodiments of the mvemion; 45 systems, microprocessor-based or programmable consumer 

FIGS. 3, 4, 5A, 5B and 6 are diagrams illustrating electronics, network PCs, minicomputers, mainframe 

system-level overviews of alternate embodiments of the computers, and the like. Ihe invention may also be practiced 

invention shown in FIGS. 2A and 2B. in distributed computing environments where tasks are 

FIGS. 7, 8 and 9 are flowcharts of methods to be per- performed by remote processing devices that are linked 
formed by a server according to an exemplary embodiment 50 through a communications network. In a distributed com- 

of the invention; . puting environment, program modules may be located in 

FIGS. 10, 11, 12A, 12B and 13 are flowcharts of methods ^""^^ ^^^^ ^^"^"^^^ ^^^*SC devices, 

to be performed by a server according to alternate embodi- exenaplary hardware and operating environment of 

ments of the invention; ^ implementing the invention includes a general 

HG. 14 is a flowchart of methods to be performed by an ^"^T ^"^P^^^. device m the form of a computer 20, 

originating cHent accordmg to all embodiments of the inven- ^ processmg unit 21, a system memory 22, and a 

tion; system bus 23 that operatively couples various system 

err i<;e « fl/.*«^k.,* f *k J * u» -r components, including the system memory 22, to the pro- 

..^2l2.rV.^^^^^^^ cessingumt21.Theremaybeonlyoneortheremaybemore 

rStit "''"'^^ "^ embodmient of than one processing unil 21, such that the proLssor of 

iTTr^o ir^^.o ^ . computer 20 comprises a single central-processing unit 

HGS. 16, 17, 18 and 19 are flowcharts of methods to be (CPU), or a plurality of processing units, commonly referred 

performed by an acquinng client according to an exemplary to as a parallel processing environment. The computer 20 

alternate embodiments of the invention; and may be a conventional computer, a distributed computer, or 

FIG. 20 is a block diagram of an exemplary embodiment 65 any other type of computer; the invention is not so limited, 

of computer program modules that cause computers to The system bus 23 may be any of several types of bus 

execute the methods shown; and stmctures including a memory bus or memory controller, a 
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peripheral bus, and a local bus using any of a variety of bus communications device for establishing communications 

architectures. The system memory may also be referred to as over the wide area network 52, such as the Internet. The 

simply the memory, and includes read only memory (ROM) modem 54, which may be iatemal or external is connected 

24 and randoin access memory (RAM) 25. A basic input/ to the system bus 23 via the serial port interface 46. In a 
ou^ut systeni (BIOS) 26, contammg the basic routines that 5 networked environment, program modules depicted relative 

help to tramrfer information between elements vnihin ^e th^ personal computer 20, or portions thereof, may be 

computer 20, such as during start-up is stor^ m ROM 24. ^ ^ ; P ^^^^ appreciated 

ilie computer 20 further includes a hard disk dnve 27 for .u.ttu u , 

reading from and writing to a hard disk, not shown, a ^^^^^ ^^wo^k comiectioiis shown are exe^^^^ 

magnetic disk drive 28 for reading from or writing t*; a f communicaUons devices for estabbshmg a 

removable magnetic disk 29, and aToptical disk drivTsO for '° ^^^^^^^^^^^^ between the computers may be used, 

reading from or writing to a removable optical disk 31 such hardware and operating environment in conjunction 

as a CD ROM or other optical media. embodiments of the invention may be practiced 

The hard disk drive 27, magnetic disk drive 28, and has been desoibcd. The computer in conjunction with which 

optical disk drive 30 are connected to the system bus 23 by embodiments of the invention may be practiced may be a 

a hard disk drive interface 32, a magnetic disk drive inter- convenUonal computer, a distributed computer, or any other 

face 33, and an optical disk drive interface 34, respectively ^^^^ computer; the invention is not so limited. Such a 

The drives and their associated computer-readable media computer typically mchides one or more processing units as 

provide nonvolatile storage of computer-readable processor, and a computer-readable medium such as a 

instructions, data structures, program modules and other ^leinory. The computer may also include a communications 

data for the computer 20. It should be appreciated by those ^ ^ network adapter or a modem, so that it is 

skiUed in the art that any type of computer-readable media ^ communicatively couple to other computers, 

which can store data that is accessible by a computer, such System Level Overview 
as magnetic cassettes, flash memory cards, digital video 

disks, Bernoulli cartridges, random access memories ^ A system level overview of the operation of an exemplary 

(RAMs), read only memories (ROMs), and the like, may be embodiment of the invention is described by reference to 

used in the exemplary operating environment. FIGS. 2 A and 2B. The exemplary embodiment is imple- 

A number of program modules may be stored on the hard inented in an wide-area networking environment 52 having 

disk, magnetic disk 29, optical disk 31, ROM 24, or RAM * ^^^^ computer, such as remote computer 49, and two user 

25, including an operating system 35, one or more applica- 30 computers, such as local computer 20, all of whidi 

tion programs 36, other program modules 37, and program ^own in FIG. 1 and described in the previous section, 

data 38. A user may enter commands and information into Alternate exemplary embodiments are described with refer- 

thc personal computer 20 through input devices such as a ^ FIGS. 3, 4, 5A, 5B and 6. 

keyboard 40 and pointing device 42. Otiier input devices The exemplary embodiments of the invention are 
(not shown) may include a microphone, joystick, game pad, 35 described in terms of transactions occunring among three 
satellite dish, scanner, or the like. These and other input paJ^cs in support of the exchange of electronic information, 
devices are often connected to the processing unit 21 such as text documents, images, executable code, or any 
through a serial port interface 46 that is coupled to the o^^^ electronic data exchanged between a first party and a 
system bus, but may be connected by other interfaces, such second party. The first party originates the information 
as a parallel port, game port, or a universal serial bus (USB). 40 which is subsequentiy acquired by the second party. The first 
A monitor 47 or other type of display device is also P^^y and the second party rely on a trusted third party 
connected to the system bus 23 via an interface, such as a arbitrator to perform services in conjunction with the 
video adapter 48. In addition to the monitor, computers creation, receipt and use of the information, 
typically include other peripheral output devices (not In a first exemplary embodiment shown in FIGS. 2A and 
shown), such as speakers and printers. 45 2B, the trusted arbitrator authenticates the first party and 
The computer 20 may operate in a networked environ- validates the information. In a second exemplary embodi- 
ment using logical connections to one or more remote nient shown in FIG. 3, use of the information by the second 
computers, such as remote computer 49: These logical party is monitored on behalf of the first party. In a third 
connections are achieved by a communication device exemplary embodiment shown in FIG. 4, the licensing of the 
coupled to or a p art of the computer 20; the invention is not 50 information to the second party is monitored on behalf of the 
limited to a particular type of communications device. The first party. In a fourth exemplary embodiment shown in 
remote computer 49 may be another computer, a server, a FIGS. 5A and 5B, the trusted arbitrator manages the com- 
router, a network PC, a client, a peer device or other ni^nication of updates to the information by tiie first party to 
common network node, and typically includes many or all of the second party. In a fifth exemplary embodiment shown in 
the elements described above relative to the computer 20, 55 FIG. 6, the trusted arbitrator manages registration and pay- 
although only a memory storage device 50 has been illus- nient for the information by the second party on behalf of the 
trated in FIG. 1. The logical connections depicted in FIG. 1 firs* party. 

include a local-area network (LAN) 51 and a wide-area All communication between tiie parties and the trusted 

network (WAN) 52. Such networking environments are arbitrator is secure so that no other party can pretend to be 

commonplace m oflBces, enterprise-wide computer 60 the trusted arbitrator and so Uiat the information exchanged 

networks, intranets and the Internet. is protected. 

When used in a LAN-netwoiking envirooment, tiie com- With reference to FIG. 1, the trusted arbitrator of the 

puter 20 is connected to the local network 51 through a following exemplary embodiments can be, for example, the 

network interface or adapter 53, which is one type of server computer 49, the first and second parties can be cUent 

communicaUons device. When used in a WAN-networking 65 computers 20, and die wide area network 52 can be the 

environment the computer 20 typically includes a modem Internet. Additionally, the trusted arbitrator is described in 

54, a type of commumcations device, or any otiier type of the exemplary embodiments as storing and retrieving infor- 
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mation. Such infonnation can be stored on any of the types The trusted arbitrator 203 authenticates the software ven- 

of computer-readable media described in the previous sec- dor's 201 credentials from a vendor registry 207 (transaction 

tion and can be arranged in any type of data storage format, 3). The trusted arbitrator 203 creates the security certificate 

such as indexed flat files or various types of data bases weU 209 from information in the request 20S from the vendor 
known to one of skill m the art. j 201. The trusted arbitrator 203 registers the security certifl- 

The taisted arbitrator can be any on-line server which is cale 209 in a security certificate registry 204 (transaction 4). 

trusted by the first and second partes. Bewuse the mter- The trusted arbitrator 203 registers the timestamp, data file's 

change among the parties .s based on a digital security 2U name, security certificate's 209 serial number and digest 

certificate which specifies a secunty service or pohw, or a ^ic fL ,,«^fi^o»;^« i ^no T ! 

combination thereof, "trusted certificate authoritiisA as I^.TZ^^T^^^^ Z ^.TT^^1 T'""^ 
VcriSigD, Inc., AT&T Certificate Services, and Microsoft '° f'T '^l V , ^ ''^""^ certificate's 209 serial num- 

Root SGC Authority, can act as the trusted arbitrator by ^^^^1^ certificates 209 owned by the 

expanding their existing services. A digital security certifi- X^J^^^^ (transaction 6). The data in the vendor registry 

cate serves to uniquely identify the holder. Currently, a 207, verification log 208 and security certificate log 204 are 

trusted certificate authority verifies the identity of a party ^ead-only and cannot be changed once entered. The trusted 

requesting a digital security certificate using information arbitrator 203 returns the security certi^ 

such as a social security number, addresses, and credit card ^ software vendor 201 (transaction 7). In an 

information. VeriSign, for example, uses Equifax credit ^t^mate embodiment, the trusted arbitrator 203 includes a 

information to authenticate a requesting party. The trusted ^i^ally signed digest 214 in the security certificate 209 

certificate authority can optionally digitally sign the security (shown m phantom). 

certificate which decreases the possibility of fraud. The ^ embodiment shown in FIG. 2A, the software 

certificate holder attaches the certificate to its documents, vendor 201 acquires a single security certificate 209 for one 

both files and data, to authenticate the information as having ^ll and creates a distribution unit 212 consisting of 

originated with the certificate holder. As the basics of trusted ^® 211 and its corresponding security certificate 

certificate authorities and digital certificates are well known 209 (transaction 8). In an alternate embodiment shown in 
to one of skill in the art, the following sections discuss the ^ transaction 9, the software vendor 201 creates a nested 

invention's novel application of the concepts, distribution unit 216 which contains multiple distribution 

For purposes of illustration, the information in the exem- 

plary embodiments is a computer application created by the In two alternate embodiments not shown in FIG. 2A, the 

first party, a software vendor such as a developer or . software vendor 201 acquires multiple security certificates 

company, and acquired by the second party, a computer user. luid stores them along with their corresponding data files in 

The computer application is distributed in a distribution unit, ^ single distribution unit, or acquires a security certificate for 

such as a compressed "cabinet" file frequently used to distribution unit itself and packages the security certifi- 

distribute applications for the Microsoft Windows family of cate along with the distribution unit, 
operating systems, which contains all the files necessary to 35 Referring next to FIG. 2B, the authentication and valida- 

nin the apphcaUon. tion transactions occurring between the user 202 and the 

In the foUowmg exemplary embodiments, the term "ven- trusted arbitrator 203 when the user 202 acquires the distri- 

dor" is used interchangeably to mean the actual vendor bution unit 212 containing the data 211 and security certifi- 

(individual or company) and the vendor's computer exccut- cate 209 are described. The user 202 acquires the distribu- 

ing software that performs the vendor operations as tion unit either directly from the vendor 201 through a 

described below. Similarly, the term "user" is used inter- software distributor, or from a location on a wide-area 

changeably to mean the user (individual or company) and network, such as the Internet (transaction 1). The presence 

the user's computer executing software that performs the of the security certificate 209 notifies the user 202 that the 

user operations as described below. The meaning will be vendor has been authenticated by a trusted arbitrator The 

clear from the context of the sentence. user 202 validates the data 211 contained in the distribution 

Referring first to FIG. 2A, the registration transactions ttnit212bygeneratinga.seconddigest223 from the data 211 

occurring between the software vendor 201 and the trusted rising the identical one-way hashing algorithm 213 used by 

arbitrator 203 arc described. It is assumed that the vendor software vendor 201 (transaction 2), In an embodiment 

201 has previously registered with the trusted arbitrator 203 in which the security certificate 209 contains a signed digest 

using current common methodologies. Additional details on 50 214 from the trusted arbitrator 203, the second digest 223 is 

the registration process are described in conjunction with compared with the signed digest 214. If they match, no 

FIG. 7 below. action is required from the trusted ari>itrator 203 and the data 

The software vendor generates a digest 215 of the data to ^ considered valid (transaction 3). If there is no match, the 

be authenticated 211 using a one-way hashing algprithm 213 202 can consider the data 211 invalid or can optionally 

(transaction 1). A request 205 for a security certificate 55 verify the data 211 with the trusted aibitrator that issued the 

specifying the desired security services and policies is sent security certificate 209. 

to the trusted arbitrator 203 (transaction 2). The request 205 When the security certificate 209 does not contain a 

also contains the digest 215. signed digest 214 or the user 202 wants to validate the data 

The trusted arbitrator 203 time-stamps the infonnation it 211 with the trusted arbitrator, the user 202 submits a 

receives and authenticates the software vendor's 201 ere- 60 validation request 224 containing the security certificate's 

denUals contained in the request 205, signs the digest 215, 209 serial number and the second digest 223 to the trusted 

and creates a unique security certificate 209 for the vendor arbitrator 203 (transaction 4). 

201. If the vendor's 201 credentials contained in the request The trusted arbitrator 203 reads the entry in the verifica- 

205 cannot be authenticated or the vendor 201 does not have tion log 208 that corresponds to the serial number of the 

permission for the requited security services orpolicies, the 65 security certificate 209 and compares the first digest 215 

Ousted arbiteator 203 will return an invalid request message stored in the verification log 208 with the second d^est 223 

(not shown). send by the user 202 (transaction 5). If the serial number is 
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not found, the trusted arbitrator 203 letums a message to the (transaction 7). The trusted arbitrator returns a receipt 305 
User 202 that the data 212 is invalid (not shown). signifying that the vendor 201 has been notified and the user 
If the first and second digests match, the trusted arbitrator 202 can perform the action on the data 211 (transaction 8), 
203 returns a message 225 to the user 202 confirming the In the third case where the copyright policy specifies that 
validity of the distribution unit 212 (transaction 6). If the 5 the vendor 201 must give permission for a copyright action, 
first and second digests do not match, the data in the the user's 202 software notifies the trusted arbitrator 203 
distribution unit 212 has been changed since the first digest with a notification message 301 containing the serial number 
215 was generated and the trusted arbitrator 203 returns a of the security certificate 309 (transaction 2). The trusted 
message that the distribution unit 212 is invalid. arbitrator 203 finds the security certificate 309 in the security 
FIG. 2C illustrates one embodiment of a verification log certificate registry 204 and checks the copyright policy in 
data structure 250 having four data fields: file name 251, the security certificate 309. If the policy states that the 
timestamp 252, security certificate serial number 253, and vendor 201 must give pennission, the trusted ari>itrator 203 
data file digest 254. FIG. 2D ilhistrates one embodiment of vendor information in the vendor registry 207 
a security certificate data structure 260 comprising a serial (transaction 4) and sends a notification message 303 to the 
number field 261 and one or more security services fields vendor 201 (transaction 5). The vendor 201 receives the 
262. notification 303 and grants or denies pennission for the 
Different types of security services and policy levels can action. The vendor 201 sends the pennission granted or 
be requested from the trusted arbitrator. The request 205 for denied message 304 to the trusted arbitrator 203 (transaction 
a security certificate that provides authentication and vali- ^® trusted arbitrator 203 registers that the user 202 has 
dation of a file has been described in conjunction with FIG. ^ granted or denied the action by the vendor 201 in the user 
2A. Alternate embodiments that use four other types of registry 302 (transaction 7). The trusted arbitrator returns a 
security services (copyrighting, licensing, subscription, and receipt 305 that the vendor 201 has granted or denied 
consignment) are described next. These security certificates permission which is enforced by the user 202. 
serve to authenticate and validate a file as does the previ- Turning now to FIG. 4, the transactions among the vendor 
ously described security certificate, but they also cause the ^ 201, the user 202 and the trusted arbitrator 203 are described 
trusted arbitrator 203 and user 202 to perform other services when the user 202 acquires a distribution unit 412 contain- 
after the distribution unit is acquired by the user 202. The ing the data 211 and a security certificate 409 specifying the 
vendor 201 can have more than one type of security service hcensing service (transaction 1). When the user 202 uses the 
permission registered with the trusted arbitrator 203. The data 211, the presence of a security certificate 409 which 
transactions invoked by the different security services and specifies the license policy for the data 211 is detennined. If 
pohcies are described next. the user 202 has a valid license for the data 211, the user 202 

In the following alternate embodiments, the software can continue, 

vendor 201 requests a security certificate specifying the If the user 202 does not have a valid license for the data 
different security services and policies in the same fashion as 35 211, a license renewal request message 401 containing the 

shown in FIG. 2Afor security certificate 205. The remainder serial number of the security certificate 409 is sent to the 

of the transactions shown in FIG. 2A also occur as previ- trusted arbitrator 203 (transaction 2). The trusted arbitrator 

ously described. The transactions described next occur after 203 finds the security certificate 409 in the security ccrtifi- 

transactions 1 through 9 of FIG. 2A. cate registry 204 and checks the licensing poHcy in the 
Ttoiing now to FIG. 3, the transactions among the vendor 40 security certificate 409 (transaction 3). The trusted arbitrator 

201, the user 202 and the trusted arbitrator 203 are described 203 checks if the user's 202 license has been revoked in the 

when the user 202 acquires a distribution unit 312 contain- ^ser registry 302 (transaction 4). 

ing the data 211 and a security certificate 309 specifying the If the Ucense has been revoked, the trusted arbitrator 203 

copyright semce (transaction 1), When the user 202 per- returns a message to the user 202 that their Hcense has been 

forms an action on the data 211 which invokes the copyright 45 revoked which causes access to the data 211 to be denied If 

pohcy m the security certificate 309, depending to the the user's 202 license has not been revoked and the hcensing 

copynght policy specified in the security certificate 309, policy states that the vendor 201 renew the Ucense, the 

either 1) the user is warned and not permitted to perform the trusted arbitrator 203 finds the vendor information in the 

action if It IS against the copyright poUcy, 2) the vendor 201 vendor registry 207 (transaction 5) and sends a license 

IS notified through the trusted arbitrator 203 that the action 50 renewal request message 402 to the vendor 201 (transaction 

on the data 211 has happened; 3) permission is requested 6). The vendor 201 can either renew the license or not and 

from the vendor 201 through the trusted arbitrator 203 to return a renewal message 403 to the trusted arbitrator 203 

perform the action on the data 211; or 4) the user is allowed (transaction 7). The trusted arbitrator 203 updates the user 

to perform the action on the data 211. registry 302 with the renewal information (transaction 8). If 

In the second case where the copyright policy specifies 55 the vendor 201 did not renew the Hcense, the trusted 

that the vendor 201 be notified of a copyright action, the user arbitrator 203 informs the user 202 that the license has not 

202 notifies the trusted arbitrator 203 with a notification been renewed and access to the data 211 is denied. If the 

message 301 containing the serial number of the security vendor 201 renewed the license, the trusted arbitrator 203 

certificate 309 (transaaion 2). The trusted arbitrator 203 sends the hcense renewal 404 which contains the rcgistra- 

finds the security certificate 309 in the security certificate 60 tion ID or keycode to unlock the software (transaction 9). 

registry 204 and checks the copyright pohcy in the security The user 202 can use the data 211 in accordance with the 

certificate 309. If the policy states that the vendor 201 be terms of the license. 

notified, the trusted arbitrator 203 finds the vendor informa- The subscription security service and related transactions 

tion m the vendor registry 207 (transaction 4) and sends a are shown in FIGS. 5A and 5B. FIG. 5A shows the trans- 

notification message 303 to the vendor 201 (transaction 5). 65 actions among the vendor 201, the user 202 and die trusted 

The trusted ^bitrator 203 registers that die user 202 has arbitrator 203 when the user 202 acquires a distribution unit 

properly notified the vendor 201 in the user registry 302 512 containing the data 2U and a security certificate 509 
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Specifying the subscripdon service (transaction 1). The user will be readily apparent to one skilled in the art and arc 

202 registers for future updates to the data 211 by sending contemplated as within the scope of the invention. 

a subscribe message 501 containing the serial number of the The system level overview of the operation of exemplary 

security certificate 509 to the trusted arbitrator 203 embodiments of the invendon has been described in this 

(transaction 2). 5 section of the detailed description. A series of transactions 

The trusted arbitrator 203 finds the security certificate 509 among parties that provide security services and policy 

in the security certificate registry 204 and checks the sub- enforcement for the distribution and use of elecUronic data 

scription policy in the security certificate 509 (transaction has been described. For sake of clarity a simplified version 

3). The trusted arbitrator 203 adds the user 202 as a of protecting software applications distributed across the 

subscriber to the data 211 listed in the security certificate 509 lo Internet has been described. The invention is not, however, 

to the user registry 302 (transaction 4). The trusted arbitrator limited to use in distributing computer software across a 

203 returns a subscription receipt 502 to the user 202 network but will be immediately perceived as applicable to 
(transaction 5). any exchange of files or documents which must be autheii- 

Update notification for multiple subscribed users 520, ticated or validated in some fashion, such as legal papers, tax 

■ 521, 522 is illustrated in FIG. 5B. When the vendor 201 filings, employment records, or the like. Furthermore, 

updates the data 211, i.e., creates data 231, the vendor 201 although the distribution unit used for illustrative purposes 

computes a new digest 215 using the one-way hash algo- section contains a single distribution tmit, the ability 

rithm 213. The vendor 201 sends an updated subscription ^ have multiple distribution units in a distribution unit, or 

message 503 which contains the serial number of the origi- ^ distribution units is also contemplated by the inven- 

naJ security certificate 509 and the new digest 215 ^° tion. 

(transaction 1). The trusted arbitrator 203 validates the x>r^*k^. c i ^ u j- 

vendor's 201 credentials in the vendor registry 207 Methods of an Exemplary Embodimem of the 

(transaction 2). The trusted arbitrator 203 updates the secu- invention 

• rity certificate registry 204 to record that a new subscription ^° ^® previous section, a system level overview of the 

of the data 211 occurred (transaction 3). The trusted arbi- ^ operation of an exemplary embodiment of the invention was 

trator 203 creates a list of all users 202 subscribed to the data described. In this section, the particular methods performed 

211 fi-om the user registry 302 (transaction 4). A subscription ^ server or remote computer of such an exemplary 

update receipt 504 containing the new security certificate embodiment are described by reference to a series of flow- 

510 and optionally containing the list of users 520-522 who charts. The methods to be performed by the server computer 

are subscribed to the data 211 is returned to the vendor 201 constitute computer programs made up of computer- 

(transaclion 5). The vendor 201 creates a new distribution executable instructions. Describing the methods by refer- 

unit 513 from the data 231 and security certificate 510 and ^^^^ ^ ^ flowchart enables one skilled in the art to develop 

publishes it in the same manner as the original distribution ^^^^ programs including such instructions to carry out the 

unit 512 (transaction 6). The trusted arbitrator 203 informs methods on suitable computerized servers (the processor of 

the users 520-522 that the data 211 which they subscribed clients/server executing the instructions from computer- 

to has been updated (transaction 7). The users 520-522 readable media). Also in this section, the particular methods 

retrieve the new distribution unit 513 (transaction 8). performed by two client (vendor and user) or local comput- 

A security certificate 609 that specifies the consignment ^^^^ exemplary embodiment are deserved by 

service and related iransacUons among the vendor 201 the r^^^f^noe to a senes of flowcharts. Tbe methods to be 

user 202, and the trusted arbitrator are shown in HG 6 'The P^no^ed by the client computers constitute computer 

user 202 acquires a distribution unit 612 containing the data Programs made up of computer-executable Instmctions. 

211 and a security certificate 609 specifying the consign- ^m?^ methods by reference to a flowchart enables 

menl service (transaction 1). When the user 202 uses the data skilled m the art to develop such programs including 

211, the presence of security certificate 609 specifying a ^^^^ instrucUons to carry out the methods on suitable 

consignment policy for the data 211 is determined If the «'™P^t«n»a cHents (the processors of the clients cxccuUng 

user 202 has paid for the data 211, the user 202 can continue instructoons from computer-readable media). 

If 'JM u * J t ... , * Tnisted Arbitrator Server 

It the user 2U2 has not paid for the data, a payment mn^ 7 ft o in ii 1'>a i-^d i^ h . * a 

finds the security certificate 609 in the security certfficate t ""PP'^ embodiments of the invention discussed in 

J ""<'<">^ "w:7 lu luc sci^uy ccnincaie the previous section in conranction with FIGS 2A. 2B 3 4 

registry 204 and checks the consigninent policy in the « < tu... a ■ ""f*- ■'^ 

security certificate 609 (transacUonS) THe tnlted arbitrator L^Ih .J^? v k 1 ? 'ff^Z^ '^^ '"P' °' 

203 updates the user registry 302 that the tTr hL Sd for „ T. !h ^ ' trusted arbitrator server computer 
die di^tdbution unit 612 (tLsaction 4). Sd arS^ " ^^i^.Tlh^F^ 7'"''^ Z"^' ^'7""^ 

trator returns a receipt 602 containing the registration ID or wifh fh^ZLT^i ,h ? '^VZ^^ ^'"^ 

keycode to unlock the data 211 (trai^action 5). He trusted J™ *1 "^"^ '^"^'T ' 

arbitrator sends the payment information 603 o the vendor 70S ti"^^:^°",S h "JT^^" S'^T' 

^Wa?a?a=^ofSr27rrb*^^^^^^^ ^^^^^^^'^^L^ 

SStioQ 7? ^° """'"^ "^^ "^'"^ arbitrator returns an invalid 

T7 ^1, ^. . ^ar - , registration mcssagc (stcp 703). If the Credentials fflatch, the 

1-urther details on dififermg types of security services and trusted arbitrator transfer the payment from the vendor if 

use pohcy levels provided by the trusted arbitrator and the required (steps 704 and 705). The trusted arbitrator adds the 
mtermuong of different security services and poHcies in a 65 vendor to the vendor registry along wiUi the services the 

secunty certificate are discussed in the next section. The use vendor has registered (step 706). The tnisted arbitrator 

ot types of secunty certificates other than described above letums a confirmation receipt to the vendor (step 707) 
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In one embodiment, the trusted arbitrator places a message telling the user that the file is not copyrighted (step 

"cookie" that is specific to the arbitrator and the vendor's 1005). If copyright information exists, then the trusted 

computer on the vendor's computer and stores the cookie arbitrator queries the vendor registry for the copyright 

contents in the vendor registry for future authentication of contact information (step 1006). The trusted arbitrator noti- 

the vendor. In an alternate embodiment, the trusted arbitrator S fies the vendor contact that the copyright policy has been 

transmits a password unique to the vendor and stores the invoked by the user and updates the user registry (step 

password in the vendor registry so that the vendor can be 1007). 

authenticated using the password. If permission from the vendor is not required (step 1008), 

When the vendor requests a security certificate from the then the trusted arbitrator grants permission to the user (step 

trusted arbitrator (referring to FIG. 8), the trusted arbitrator lo 1009), else the trusted arbitrator waits for the author to grant 

receives a certificate request and digest (step 801). The or deny permission (step 1010). The trusted arbitrator adds 

trusted arbitrator records the time and date of receipt (step the vendor's reply to the user registry (step 1011) and sends 

802). The vendor is authenticated against the vendor registry a message to the user either granting (step 1009) or denying 

(step 803). If vendor cannot be authenticated, then the (step 1012) permission to continue, 

request is from an invalid vendor (step 804). The trusted 15 As described above and in more detail below, when the 

arbitrator searches the vendor registry for the correct vendor user attempts to use data which is associated with a security 

(step 805) and notifies them of the invalid request (step 806). certificate specifying the license service and the license is 

The invalid vendor is also notified with the reason their invalid, the trusted arbitrator receives a license renewal 

request was not granted. request containing the security certificate serial number (step 

If the vendor is valid, then the trusted arbitrator verifies 00 1101 in FIG. 11). The trusted arbitrator checks if the security 

that the vendor is permitted to declare the security service certificate serial number is a valid number (step 1102) in the 

requested (step 807). If the vendor does not have permission security certificate registry. If not, it is an invalid security 

to declare the security service requested, the trusted arbitra- certificate serial number (step 1103). The user is notified that 

tor returns an invalid security certificate message (step 808). the Tmsted arbitrator could not find the serial number (not 

If the request is valid, thea the trusted arbitrator creates 25 shown). Any license polides on the document cannot be 

the security certificate by generating a unique security enforced and the data is treated as if it is not subject to 

certificate number (step 809); embedding the time and date licensing. 

stamp (step 810); filling in the appropriate information from When the security certificate is valid, the trusted arbitrator 

the request and the vendor registry (step 811); and checks if the security certificate specifies the Ucense service 

optionally, embedding the digitally signed digest into the 30 (step 1104). If not, the trusted arbitrator returns a message 

certificate (step 812 shown in phantom). The trusted arbi- telling the user that the file is not licensed (step 1105). If 

trator wntes the security certificate information to the secu- license information exists, the trusted arbitrator checks if the 

nty certificate registry (step 813); writes the security cer- user's license to use the software has been revoked in the 

tificate serial number and digest to the verification (digest) user registry (step 1106). If the user^s Hcense has been 

log (step 814); and adds the security certificate serial number 35 revoked, the trusted arbitrator returns a license revoked 

to the vendor's entry in the vendor registry (step 815). A message to the user's computer (step 1107) which results in 

receipt contammg the secunty certificate is returned to the the user being unable to access the data, 

vendor (step 815). [f the license is not revoked, the trusted arbitrator queries 

lurnmg now to FIG. 9, under certam cu-cumstances as the vendor registry for the hcensor information (step 1108) 

descnbed above and m more detail below, when the user 40 The trusted arbiurator requests a Ucense renewal from the 

needs to vaHdate the data received in a distribution unit, the Ucensor and waite for the licensor to renew or revoke the 

trusted arbitrator receives a validation request containing the license (step 1109). The trusted arbitrator adds the Ucensor's 

secunty certificate serial number and computed digest from reply to tiie user registry (step UIO) and either revokes the 

Uie user (step 901). The trusted arbitrator queries the veri- Ucense as described immediately above (step ni2) or 

ficatioo log for the digest of the security certificate serial 45 renews the license by sending a registration ID or keycode 

number (step 902). If the security certificate serial number is to unlock the software (step 1113) 

not found in the verification log (step 903) or if the digests As shown in FIG. 12A, when the vendor modifies 

do not match (step 904), then the trusted arbitrator returns an periodically-updated data associated with a security certifi- 

mvahd data receipt (step 905). If the digests match, then the cate specifying the subscription service modifies ti^e data 

data IS valid and the trusted arbitrator returns a vaUd data 50 the vendor notifies the trusted arbitrator with a subscription 

recent (step 906). ... Mate request containing the newly calculated digest of the 

When the user of data associated with a security certifi- modified material (step 1201). The trusted arbitrator time 

cate specifying the copyright service invokes the notification and date stamps the request (step 1202) aod checks the 

or permission policy through an action, the tmsted arbitrator vendor's credentials to see if the vendor is vaUd (step 1203) 

receives a copyright notification message containing the 55 If the vendor is not vaUd (step 1204), the trusted arbitrator 

secunty certificate serial number to the trusted arbitrator searches for the real vendor in the vendor registry (step 

(step 1001). The trusted arbitrator checks if Uie security 1205) and alerts the real vendor (step 1206) 

certificate serial number is a vaUd number (step 1002) in the If the vendor is valid, tiic trusted arbitrator checks if the 

secunty certificate registry. If not, it is an invalid security subscription update request is for an existing security cer- 

certificate senal number (step 1003). The user is notified that 60 tificate (step 1207). If not, the trusted arbitrator returns a 

the tmsted arbitrator could not find the serial number (not message that the subscription update request is invalid (step 

shown) Under these circumstances, any copyright policies 1208). If the subscription update request is vaHd, the trusted 

on the document cannot be enforced so the data is treated as arbitrator updates the edition information in the verification 

If It IS not copyrighted. (digest) log (step 1209), embeds the time and date stamp 

For a vahd secunty certificate, the tmsted arbitrator 65 (step 1210), and, optionally, digitally signs the new digest 

checks If the secunty certificate specifies the copyright . and inserts the signature in the security certificate (step Ull 

service (step 1004). If not, the trusted arbitrator returns a shown in phantom). The trusted arbitrator updates the serial 
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number of the security certificate in the security certificate is not a subsccq)tion update of existing data, the vendor 

registry (step 1212), creates a new entry in the verification client computer creates a new security certificate request 

(digest) log (step 1213), and adds the new security certificate from the vendor's a-edenlials and desired types of services 

serial number to the vendor's security certificates in the and policy levels and submits the request with the digest to 

vendor registry (step 1214). The trusted arbitrator returns a s the server (step 1404). 

receipt containing the updated security certificate (step In either case, when the security certificate is received 

1215). The trusted arbiU-ator searches the user's registry for from the trusted arbitrator (step 1405), the vendor cHent 

all users subscribed to the data (step 1216) and notifies them computer combines the security certificate with the data to 

of the updated document (step 1217). form a distribution unit (step 140d). Distribution units may 

Continuing on to FIG. 12B, the user of data associated lo optionally be combined with other distribution units to form 

with a security certificate specifying the subscription service nested distribution units (step 1407 shown id phantom). The 

can subscribe to be notified of updates to the data by sending vendor client distributes the distribution unit containing the 

a user subscription request to the trusted arbitrator (step data and security certificate (1408). 

1218). The trusted arbitrator checks if the user subscriptioo User Client 

request is for an existing security certificate (step 1219). If is FIGS. 15, 16, 17, 18 and 19 illustrate flowcharts of 

not, the trusted arbitrator remms a message that the data methods to be performed by a client computer on behalf of 

does not exist (step 1220). a user according to the exemplary embodiments of the 

When the data does exists, the trusted arbiu-ator checks if invention. These methods are inclusive of the steps or acts 

the security certificate contains the subscription service required to be taken by the user client computer using the 

block (step 1221). If not, the tmsted arbitrator returns a 20 components discussed in the previous section, 

message that the data cannot be subscribed to (step 1222). If When a distribution unit is loaded, the user client com- 

the security certificate contains a subscription service block, puter extracts the security certificate from the distribution 

the trusted arbitrator updates the user registry for subscribers unit to determine which services to perform. For example if 

to the security certificate serial number (step 1223) and the certificate allows a thirty-day trial period but requires 

returns a subscription receipt (step 1224). 25 payment after that, the client notes the date the information 

As descnbed above and in more detad below, when the is installed so that it can alert the user when the time period 

user of data associated with a security certificate that speci- has expired. Other additional operations necessary to sup- 

fied the consignment service receives the data without a port the security services and pohcy enforcement will be 

valid license to use the data, the user can purchase the data. readily apparent to one of skill in the art upon reading the 

FIG. 13 illustrates the method used by the trusted arbitrator 30 detailed description of the various security types and policy 

if the user chooses to purchase the data. The trusted arbi- levels below. The data can require the client perform an 

trator receives consignment payment request containing the installation process prior to the data being used or if the 

secunty certificate serial number and payment information distribution unit is a compressed file, the client must uncom- 

(step 1301). The trusted arbitrator checks if the security press the data. If textual data is distributed in word processor 

certificate senal number is a valid number (step 1302) in the 35 compatible distribution unit, such as a Microsoft Word 

secunty certificate registry. If not, it is an invalid security document, no additional processing is required 

certificate senal number (step 1303). The user is notified that Thus, FIGS. 15, 16, 17, 18 and 19 all begin with the 

the trusted arbitrator could not find the serial number (not acquisition of a distribution unit and the extraction of the 

shown). Any consignment policies on the document cannot security certificate to determine the security services and 

be enforced and the data is treated as if it is not on 40 policies specified therein. The method used by the user cHent 

consignment^ computer's is dictated by the type of security certificate. 

For a valid certificate, the tmsted arbitrator checks if the Because the security services and policies can be combined 

u^^® specifies the consignment service (step in various permutations, the methods described below are 

1304). If not, the tmsted arbitrator returns a message teUing also combined as required by the specific security certificate 

the user that the file is not on consignment (step 1305). If 45 flS^S^st to HO. 15-and a diSibutioQ unacontaiiSSs 

consignment mforaiation exists, the tmsted arbitrator with- ^aiiiutity certificate which specifies the validation servi^ , 

drawspaymentfromanaccountmaintaine (step 1501)^the user client computer validates the data by 

1306). and updates the user registry to indicate that the user eJrtr^g.the security, ^rtificmt^^ 

has paid (step 1307) The trusted arbitrator returns a regis- a^gestiom therdaS using.a^oi^^v^ay^hashing.fuLml^ 

tration ID or keycode to unlock the software (step 1308), so (5ia5Q3)r,ff-the"security certificate contains a signea' 

sends a payment to the vendor (step 1309) and updates the d^e^m a tmskd arbitrator that thbUslPlient coi^ 

account mformaUon m the vendor regisU-y (step 1310). c^c^ri^^ij^^cQs^ thenser cUentTcom^ut^ i 

A flowchart of a method to be performed by a client J5fl5).4f:the digests-malc^^^ , 

coinputer on behalf of a vendor according to the exemplary ss ^alid^step 1507), ^else the data 

embodiments of the invention is shown in FIG. 14. The If Uiere is no si^ed digest^in the'fik, thTnlhe'^^^ 

method is inclusive of the steps or acts required to be taken computer sends a validation request message containmg the 

by the vendor chcnt computer using the components dis- security certificate serial number and the computed digest to 

cussed m the previous section. the tmsted arbitrator (step 1509). If the trusted arbitrator 

Ihe vendor chent computer appHcs a one-way bashing 60 reUirns a valid receipt (step 1510), the data are vaUd (step 

algonthm to the electronic data to create a digest of the data 15U), else the data are invalid (step 1512) 

(step 1401). If the client is updating existing data associated As shown in FIG. 16, if the security certificate specifies 

with a secunty certificate specifymg the subscription service the copyright service, the user client computer monitors the 

(step 1402), the vendor client computer creates a subscrip- user^s actions on the data (step 1603). If the user*s actions 

tion update request from the vendor's credentials and 65 invoke the copyright pohcy (step 1604), the user client 

desired types of services and policy levels, and submits the computer checks to determine if the action is in accordance 

request with the digest to the server (step 1403). If the data with the copyright poHcy (step 1605). If the action is denied 
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by the copyright paUcy, the user's action is disallowed (step 
1606) and optionally the user is notified as to the reason 
(step 1607). If the user's action requires that the vendor be 
notified (step 1608) or that permission be requested from the 
vendor (step 1609), the vendor is notified (step 1610 or 
1611). If the copyright policy specifies that the vendor must 
give permission for the action (step 1609), the client cannot 
save the results of their action until the user client computer 
receives permission from the vendor (step 1611). If permis- 
sion is granted (step 1612), the user can continue with their 
action. If peimissioQ is denied, the \iser client computer 
notifies the user and the user's action is not allowed (step 
1613). 

When the user client computer receives a distribution unit 
containing security certificate that specifics the license ser- 
vice (refer to FIG. 17), the user client computer allows the 
user to use the data (step 1703) while the user has a valid 
license (step 1704). If the license has expired, the user client 
computer submits a request for a license renewal containing 
the security certificate serial number to the trusted arbitrator 
(step 170^. If a keycode or registration ID is received from 
the trusted arbitrator (step 1706), the license is renewed (step 
1707) and the user can use the data. If the license was 
revoked (step 1708), the user client computer prevents the 25 
user from using the data (step 1709). 

Referring now to FIG. 18, when the user client computer 
receives a distribution unit containing a security certificate 
specifying the subscription service, the user client computer 
submits a user subscription request containing the security 
certificate serial number and subscriber information (step 
1803) to the trusted arbitrator. When the vendor updates the 
data and notifies the trusted arbitrator, the trusted arbitrator 
notifies all subscribers to the data (step 1804) and the 
subscribers retrieve the new distribution unit (step 1805). 

A security certificate that specifies the consignment ser- 
vice (step 1903 in FIG, 19) causes the user client computer 
to submit a payment request containing the security certifi- 
cate serial number and payment information (step 1904) to 
the trusted arbitrator. The user dient computer does not 
allow the data to be used until the tmsted arbitrator with- 
draws the payment from the user's account and returns a 
keycode or registration ID (step 1905). The user client 
computer allows the user to use the data (step 1906). 

Examples of the security types and policy levels of 
certificates contemplated for use in the present invention are 
discussed in detail at this point. The context in which the 
information will be used determines what security services 
and policy enforcement are applicable. As will be readily 
apparent to one of skill in the art, the following examples are 
not exhaustive and other types and levels of security cer- 
tificates can be used with the methods described herein 
without exceeding the scope of the invention. A security 
certificate can be created with a single type and level of 55 
security, or different types and varying levels of security can 
be combined into a single security certificate, i.e., combining 
copyrighting with licensing. Furthermore, a trusted arbitra- 
tor of the present invention can offer all or only a subset of 
the following security certificates without departing from the 
concepts envisioned by the inventor. 

An exemplary format of a security certificate is shown 
immediately below with a brief description of the major 
sections following. The remaining section of the security 
certificate are self-explanatory. Note that multiple or future 
services with different policy levels can be combined in the 
security certificate without modifying the original format. 
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Security Certificate Format 
Header block 

Set bytes confirming that this is a security certificate 

Length of Security Certificate 

Security Certificate Version 

Security Certificate Identifier unique for this certificate 
Time and Date of Registration 
Number of service blocks (zero or more) 
Application Information Service blodc 
Set bytes confirming that this is an Application Informa- 
tion Service block 
Length of Application Information Service block 
Version of Application Information Service block 
Number of Applications (One or more) 
Application information 
Name of Application 
Version of Application 
Number of URLs to find Application 
URL to application 

Number of Services provided by Application 
Services 
Editing/Printing/Displaying/etc 
Author Information Seivice block 

Set bytes confirming that this is an Author Information 

Service block 
Length of Author Information Service block 
Version of Author Information Service block 
Number of Authors of Data (Zero or more) 
Author information 
Name of Author 
Real Author name 

Author^s Unique ID 
Anonymous 

No ID given 
Registered (Known to Authenticating Agency) 

Unique ID which maps to Author's Unique ID 
Pseudonym (Known to Authenticating Agency) 
Unique Pseudonym which maps to Author's 
Unique ID 
Contact Information 
Name 

Organization or Company 

Address of contact 

Email address 

URL 

Phone 

Number of Author Authentication Agencies (zero or 
more) 

Author Authentication Agency 
Name of Authenticating Agency 
Address 
Email 
URL 

Distributor Information Service block 
Set bytes confirming that this is a Distributor Information 

Service block 
Length of Distributor Information Service block 
Version of Distributor Information Service block 
Number of Distributors (zero or more) 
Distributor information 
Name 

OrganizatioD 
Site URL 
Email address 

Type of distribution provided 



04/27/2004, EAST Version: 1.4.1 



19 



US 6,510,513 Bl 



10 



Download 
Subscription 
Consignment 

Bank routing information 
lype of payment accepted 
Authentication Service block 

Version of Data Authentication Service 
Number of Data Authenticating Agencies (one or more) 
Data Authenticating Agency 
Name of Authenticating Agency 
Address 
Email 
URL 

(optional) Signature of digest by Authenticating 
Agency 
Validation Service block 

Version of Vahdation Service 
Name of file validated 

Number of signatures of Authenticating Agency (one or 20 
more) 

Signature 

Name and version of algorithm used 
(optional) Signed security receipt by Authenticating 
Agency 25 
Copyright Service block 
Version of Copyright Service 
Number of policies (zero or more) 

Copyright Policies (policies can be separate or 30 
combined): 
Viewing policy 
Must include copyright in view 
Can view freely 

Can view with author notification 

Can view with author permission 

Cannot view 
Displaying policy 

Must include copyright in display 

Can display freely 

Can display with author notification 

Can display with author permission 

Cannot display 
Copying policy 

Whole File and/or Parts (Cut&Paste) 

Miist include copyright with new copy 

Can copy freely 

Can copy with author notification 

Can copy with author permission 

Cannot copy 
Distribution policy 

Must include copyright in distribution 

Can distribute freely 

Can distribute with author notification 

Can distribute with author permission 

Cannot distribute 
Modifying policy 

Must quote source when modified 

Can modify freely 

Can modify with author notification 

Can modify with author permission 

Cannot modify 
Storing policy 

Can store freely 

Can store with author notification 
Can store with author permission 
Cannot store 
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Caching policy 
Can cache freely 

Can cache with author notification 
Can cache with author permission 
Cannot cache 
Licensing Service block 
Version of Licensing Service 
Type of license 
Renewable 
Revocable 
Irrevocable 
Number of Licensors (zero or more) 
Licensor Information 
Name 

Organization or Company 
Address of contact 
Email address 
URL 
Phone 

Number of policies (zero or more) 
Licensing policies 
Ownership pohcy 
User must pay before usage 
User can use until license expires 
License revoked at end of subscription 
Number of uses policy 
Use one or more times 
Unhmited usage 
Number of users and/or machines policy 
One or more concurrent [user/machine] 
No concurrent [users/machines] 
Length of time of use policy 

Use only while subscribed to service 
Use for set duration when running 
Use for set duration since installation 
Usage ends on Time and Date 
Unhmited 
Credentials policy 
No credentials required 

Adult material (user must be registered as adult) 
Groups (user must be registered with set groups) 
Number of groups 
One or more Group credentials 
Group which has access 
Group Authenticating Agency 
Domains (computer address is in set domains) 
Number of domains 

One or more domains which have access 
Network mask for domain 
Passwords 

Number of passwords (one or more) 
Passwords which will unlodc data 
Subscription Service block 
Version of Subscription Service 
Edition of this data 
Number of policies (zero or more) 
Subscription policies 
Level pohcy 
All subscribers can access 
Subscribers at certain level can access 
Update pohcy 
Update when original data changed 
Update periodically 
Period to update 
Update on payment 
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Update on demand 
Consignment Service block 
Version of Consignment Service 
Number of policies (zero or more) 
Consignment policies 
Cost policy 
Free 

Amount per license 
Data Encryption Service block 
Version of Encryption Service 
Encryption Algontbm used 
^fe^sion of Encryption Algorithm 
Algorithmic Information 

Users which can unlock data 

Public keys which will unlock data (zero or more) 

Public keys 

etc. 

Data Watermark Service block 
Version of Watermark Service 
Watermark Algorithm used 
Version of Watermark Algorithm 
Watermark Information 
Data Compression Service block 
Version of Compression Service 
Compression Algorithm used 
Version of Compression Algorithm 
Compression Information 

Huffman Data block 

Quantization levels 

etc. 

Installation Service block 
Version of Installation Service 
Number of units to install (one or more) 
Unit 
Version of unit 

Number of data files in unit (one or more) 
Data file 

Data file name 

Data file size 

Flags 

Location after installation 
Authentication Section 

The trusted arbitrator authenticates the requestor's cre- 
dentials and returns a security certificate containing the 
information about the trusted arbitrator in the Authentication 
Service section. An Authentication certificate allows receiv- 
ers of the data to authenticate and validate the vendor as the 
original author of the data. 

Validation Section 

When a trusted arbitrator provides a security certificate 



10 



15 



20 



Cbpyrighting Section 

The Copyright Service is available with different levels of 
policy enforcement. The following are examples of levels of 
policy that can be enforced: 

copy freely without author consent, 
modify fireely without author consent, 
distribute freely without author consent, 
notify author before copy, 
notify author before modification, 
notify author before distribution, 
no copying, 
no modification, 
no distribution, 

cannot cut and paste parts of the data, but can copy all data 
intact, 

must include copyright policy when viewing, 
cannot display (in the case of web pages), and 
no caching (in the case of web browsers, routers, and 
servers). 

The level(s) of the copyright certificate requested is 
dependent on the data and the policy enforcement desired by 
the author, i.e., a movie can be copyrighted to allow the 
25 viewer to watch it, but not store it digitally, while digital data 
can be viewed, displayed, but not cached. Different portions 
of a single work can have different copyright policies so that 
the author of a song can copyright the melody and lyrics 
separately, for example. 

There is also the ability to allow anonymous copyrighting 
where the user is notified that the original author has 
requested a copyright policy, but the security certificate does 
not reveal the identify of the author to the user. 
Licensing Section 

Licensing policy enforcement can be set for executable 
code or other electronic information through the License 
Service section of a security certificate. As with 
copyrighting, licensing certificates are available in varying 
levels with the following provided as examples: 
X number of uses, 
X number of users, 
expiration dale, 
user must pay before use, 
user can use only while subscribing to service, 
only users within particular computer domains or user 
groups can use data, 

data must be unlocked by keycode or password before 

use, 
revocable, and 
irrevocable. 

The levels of licensing policy can be combined with other 
policies such as the copyright policies. Thus, for example, an 
author can restrict the user to a certain number of uses and 
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trusted arbitrator ciiarantees fn vfllirlflfp. iin\/ rlini^cfc con« ;« *: T-L- 1 J ^ . - 



trusted arbitrator guarantees to vaUdate any digests sent to it 
against the digest originally sent by the requestor. Vahdation 
does not prevent others fi-om registering someone else's 
original work, but as long as the originator registers a digest 
with the trusted arbitrator before the work is publicly 
released, the entry for the originator's digest will be earlier 
than all others. 

The trusted arbitrator can also digitally sign the digest and 
include the signature in the Validation Service section. If 
receivers of the data can validate that the signature is correct, 
they can validate the data without submitting the digest to 
the trusted arbiurator. 
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information. The keycode or password would be particular 
to the user so that it unlocks the information one computer 
but cannot be used to unlock the information on another 
computer. The other computer would have to request a new 
license for the information by sending a new license request 
to the trusted arbitrator with the security certificate serial 
number. 
Subscription Section 

The author of a work, such as a software appUcation, that ' 
wishes to provide updates to registered users (subscribers) of 
the work requests a Subscription certificate from the trusted 
arbitrator. A user is registered as a subscriber when it sends 



04/27/2004, EAST Version: 1.4.1 



us 6,510,513 Bl 

23 24 

the digest containing the subscription certificate on the the security services and policy enforcement through stan- 

trusted arbitrator. Ihe subscriber's name and address, along dard software applications executing on the client computers 

with the information subscribed to, are stored by the tiusted when the electronic data is distributed through the Internet. 

arbitrator. Subscription certificates come in varying levels piG. 20 illustrate modules, or components, included in the 

related to certam events, for example: j standard software applications that cause the client comput- 

mformation changes (when the author updates the file), crs to automaticaUy execute the methods described in the 

payment updates (when the subscriber pays), previous section. The components necessary to implement 

a time period passes (daily, weekly, monthly, etc), and the methods for the server computer are incorporated into 

on-demand (when the subscriber requests it). standard software used by a certificate authority or similar 

The levels of subscription can be combined with licensing lo trusted third party and are described after the components 

so that the author requires the subscriber to pay for the for the clients. As one skilled in the art wiU readily 

i^ormation. The type of payment can be specified, i.e. pay recognize, the components can be written in any executable 

oti^fSfoTSe^^^ orpayper eachpxece , ,,,, 

Th^ wf.H o.h;f f i'f. *K u 'u r u objects m an object-oriented environment such as Java. 

Ine trusted arbitrator can notify the subscriber of the - , . . 

updates via e-mail, by "push" to the user^s desktop using \ ^ f encapsulated collection of code and data 

technology such as Microsoft's Active Channels which ^i^^mg mtemal functions (methods) that operate on the data 

allows a user to subscribe to an automatic notification expose external mterfaces (properties) used to commu- 

service, or by pointing the user to an Internet URL (unifonn , . object. Objects which can implement this 

resource locator) where the user can view/download the new ^ "^If^^^^ include, but are not limited to, ActiveX controls 

information. The trusted arbitrator can also offer an anony- ^^^^^ ^^^^^ ^ standard set of functions in an interface. The 

mous subscription certificate where the subscriber is notified f^^^"^^^ control would recognize the security certificate 

when the author updates the information, but the subscrib- unplement its security services and pohdes. 

er's data is held in confidence by the trusted arbitrator and Application (web browsers, word processors, paint 

not revealed to the author. programs, etc.), could load the ActiveX control and call 

Consignment Section " functions to determine the correct pohcy to implement. The 

A consignment certificate causes the tmsted arbitrator to hindered by the ActiveX control and 

enforce a payment policy on die user of the electronic ^^^"^ intervene only when necessary, 

information. Consignment certificates apply various levels ^ example, assume a publicity agent for a singer uses 

of policy enforcement, fijr example: client computer 2000 to create an electronic press release kit 

alert the user periodically (as in so-called "nagware"), announce the singer's new album. The agent wants to 

force the user to pay before nmmng ' ^^^^^^^ ^ P^^^ ^^^^ document 2003, a clips from the 

force the user to pay after a hcense has expired, T-^''' ^^^1 ^""^ * ^^^^ fil*^ containing 

unlock features after the user paid, and Z'^Zt^t "^f ""^.^^ 

, „ * . « to fireely redistribute the entire electronic press 

Summ^"'"'''""^'''- t^leaseldtandthep'ressreleasedocumeattogainthem^ 

Thepar,iculaxcne,hodsperfonnedby theservercomp^ter l^^^^^^^^l ^^"^ ^ "^^'^^^ ""^ 

tor a trusted arbitrator of an exemplary embodiment of the ^ru * tt7 «r . 

invention have been described. The method performed by ...^^ ^J^""'^^ ^^^^ ^"^"^^^^ 2009, such as 

the server has been shown by reference to flowcharts in ^ Microsoft Internet Explore^ to connect to a web page on a 

FIGS. 7, 8, 9, 10, 11, 12A, 12B and 13, including the steps j^^ted arbitrator s server 2001. The agent fills out a form on 

from 701 through 707, 801 through 816, 901 through 906, oLr^a^l^^^^nJ^"^^^^ security certificates for data files 

1001 through 1012, 1101 through 1113. 1201 throuXl224 2003, 2005, 2007 and for a distnbution unit 2023 that will 

and 1301 through 1310 ^ ' , contam all of the data files 2003, 2005, 2007. A security 

The particular methods performed by the client computer 45 component2011 in the browser 2009 automaticaUy provides 

for a software vendor of an exemplary embodiment of the ^ !f "^^^ credential information required to authen. 
invention have been described. The method performed by 

the vendor client computer has been shown by reference to security component 2011 computes the digests 2025, 

flowcharts in FIG. 14, including the steps from 1401 through 2027, 2029 and 2031 of the requested files and their 
1408. 50 combination, respectively, using a one-way hashing func- 

The particular methods performed by the client computer ^® request for the security certificate for the press 

forauserof an exemplary embodiment of the invention have release 2003 contains the digest 2025 and the copyright 

been described. The method performed by the user client service specifying the "copy freely" policy. Since the agent 

computer has been shown by reference to flowcharts in protect the video clips from being booflegged, the 
FIGS. 15, 16, 17, 18 and 19, including the steps from 1500 55 request for the security certificate for data file 2005 contains 

through 1512, 1601 through 1613, 1601 through 1709, 1801 ^^est 2027 and the copyright service specifying the 

through 1805, and 1901 through 1906. ' "^^^ onl/' policy. The lyrics can be copied in whole or in 

Additionally, exemplary embodiments of security oertifi- P^^^' attributed to the original song 

cates for use with the methods have been described. The writers. The security certificate request for the lyric file 2007 
combination of the security certificates and methods provide ^0 contains the digest 2029 and the copyright service spedfy- 

an easy mechanism to protect originators of elecU-onic data "'^^^ ^^P^ whole file and/or parts, but must include 

from misuse while, at the same time, protecting users from copyright" pohcy. The agent also requests a security certifi- 

cormpted data. cate for the disU-ibution unit 2023 which contains the "copy 

, , , - , . freely" pohcy and submits the digest of all the files 2003, 

Internet Implementation 2005, 2007 in the request. 

In this section of the detailed description, a particular The trusted arbitrator returns the security certificates 

unplementaUon of the invention is described that provides 2013, 2014 and 2015 for the files 2003, 2005 and 2007, 
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respectively, and returns 2016 for the distribution unit 2023. computer. A server security module compares the digest 

The agent pac^cages each security certificate with its data and received from the client computer 2002 with the logged 

creates a nested disttibution \mit 2023 which serves as the digest and returns validation messages when the digests 

press release kit. The agent requests that die browser 2009 match. 

upload the press release kit 2023 to several web sites that s This sectioQ has described a particular implementation of 
speciahze m music entertainment 2040. security services and policy enforcement for electronic 
A user browsing one of the music entertainment sites data provided by components within standard software 
2040 sees an announcement regarding the press release kit. appbcations nmning on a client computer. The components 
When the user clicks on a link to the press release kit, the can be provided as add-on modules, such as applets down- 
distribution unit 2023 is downloaded to the client (user's) lo loaded for use in a browser, or can be incorporated in the 
computer 2002. A security component 2035 in the user's software as a standard feature. This section has also 
browser 2033 extracts the security certificates 2013, 2014, described a particular implementation of the security ser- 

2015 of all the files 2003, 2005, 2007 in the distribution unit vices and policy enforcement for electronic data provided by 
2023 and the security certificate2016 of the distribution unit components within standard server software. 

2023. The security component 2035 computes digests 2025, 15 

2027. 2029, 2031 from the data files 2003, 2005, 2007 and Coiiclusion 
the distribution unit 2023, connects to the trusted arbitrator's 

server 2001, and submits a vaHdatc request to the trusted Asenes of transactions and security certificates have been 

aihitrator's server 2001. The validate request contains the described which autheaticate and validate electronic data 

serial numbers of the security certificates 2013, 2014, 2015 20 ^^o enforce restrictions on the use of that data. The 

2016 and the digests 2025 2027 2029 2031 ' ' transaction functions are performed by components within 

Once the vaHdation is complete, the security component f'd t^lf 7 "^T'VT 

2035 in the browser 2033 aUows the user to view the data. ^f^P^^'^ ^'^^^ " ""^^'^ 

The browser 2033 now displays the press release dociunent ' 

2003 and lyrics 2007 to the user and can play the music ^ the presentjnvention guarantees^eaMi^ 

video 2005. However, if the user attempts to save the lyrics aj3d3alidity-of_die.,electronic.data.andej^^ 

2007 in whole or in part to a different location on the tio ns-on-the data-through^the^ise of the ccrtificates.3 

computer 2002, the security component 2035 in the browser Furthgimore^Jhe^^erific^ 

2033 copies the original copyright notice attributing the author^-and-xreation-tim^ 

lyrics to the original author. If the user attempts to modify ^° ^^tfenticatcd-an-author prior to creati ng-t 

or copy the music video to a different location, the security ^Otamps.theicejtificate and^^e^igest^t^^^ 

component 2035 in the browser 2033 notifies the user that from;^LeleC5onk^.-Bec^ 

the music video is view only and cannot be copied or a^^op^ticallyyjro;^^ stan/ 

modified.Dotifies. ^.^^ software, the author and the user do not have to concern 

Whentheuserexitsthebrowser2033,theusercanaccess /th"'''^'''?^ "^^^^^^M^P^P^r^^ 

the press release document 2003, the video clip 2005, and ^S^^^^^lf g?!^^^ 

the lyric file 2007 through their "native" applications 2037, ^^^^W^JhjI-^eady provi^^^^^^ 

such as Microsoft Word and Microsoft Media Player. When Although specific embodiments have been illustrated and 

the user requests that the native application 2037 open one ^^^scribcd herein, it will be appreciated by those of ordinary 

of the items 2003, 2005, 2007 in the press release kit, a ^ arrangement which is calculated to 

security component 2039 in the native application 2037 uses achieve the same purpose may be substituted for die specific 

the associated security certificate 2013, 2014, 2015 to deter- embodiments shown. This application is intended to cover 

mine the proper uses of the item. If the user requests the adaptations or variations of the present invention, 

native application 2037 copy or modify the item, the security The terminology used in this application with respect to is 

component 2039 in the native application 2037 notifies the meant to include all hardware and software platforms, 

user of the improper use and aborts the operation. In the Therefore, it is manifestiy intended that this invention be 

embodiment illustrated in FIG. 20, the security components limited only by the following claims and equivalents 

2035 and 2039 are shown as separate modules. Alternate thereof, 

embodiments in which the same security module is shared ^ claim: 

among all software executing on the user's computer which 1- A computerized method for providing security services 

need to validate data are considered within the scope of the policy enforcement for electronic data, the method 

invention. comprising the steps of: 

The server 2001 for the trusted arbitrator executes stan- submitting, by a first client, a certificate request to a 

dard server software containing three components that pro- 55 server; 

vide the services required by the client computer. Because receiving, by the server, the certificate request, authenti- 
thc components arc considered to be well within the under- eating the first client, generating a certificate, register- 
standing of one of skill in the art based on the details ing the certificate, and transmitting the certificate to the 
provided in the previous section, the components arc not first client; 

illustrated in FIG. 20. receiving, by the first cUent, the certificate, creating an 

A server security module creates the security certificates autiienticated file containing the certificate and a dis- 

2013, 2014, 2015, 2016 when the server 2001 receives the tribution unit, generating a first digest from the authen- 

request from the client computer 2000 and returns the ticated file using a hashing algorithm, and submitting 

security certificates to the client computer 2000. A registra- the first digest to the server; 

tion module logs the digests 2025, 2027, 2029, 2031 65 time stamping, by the server, the digest, Wine the 

received fi:om the client computer 2000 into the verification digest, and transmitting a time stamped receipt to the 

log and returns die time stamped receipts to the client first client; 
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acquiring, by a second client, the authenticated file, g^- 
erating a second digest from the authenticated file using 
the hashing algorithm, and submitting the second digest 
to the server; and 

receiving, by the server, the second digest, comparing the 
second digest to the logged first digest, and transmitting 
a message to the second client as a result of the 
comparison. 

2. The computerized method of claim 1, wherein the 
certificate requested is a security certificate. 

3. The computerized method of claim 1, wherein the 
certificate requested is a subscription certificate and further 
comprising the steps of: 

registering, by the server, the second client as having the 
authenticated file; 

creating, by the first client, an update authenticated file 
containing the certificate and an updated version of the 
distribution unit, generating an update digest from the 
update authenticated file using the hashing algorithm, 
and submitting the update digest to the server; 

receiving, by the server, time stamping and logging the 
update digest, and returning a time stamped update 
receipt to the first client; and 

determining, by the server, that the second client has the 25 
authenticated file and notifying the second client of the 
update authenticated file. 

4. The computerized method of claim 1, wherein the 
certificate requested is a policy enforcement certificate. 

5. The computerized method of claim 4, further compris- 
ing the steps of: 

generating, by the second client, a notification that the 
data in the distribution unit is being used inappropri- 
ately based on a policy level specified in the certificate 

receiving, by the server, the mappropriate use notification; 
and 

notifying the first cUent of the inappropriate use, 

6. The computerized method of claim 4, wherein the 
message returned by the server to the second client requests 
the second client pay for the authenticated file and further 
comprising the steps of: 

receiving, by the server, a payment from the second client; 
and 

transmitting, by the server, a key to unlock data in the 
distribution imit. 

7. A computer-readable medium having computer- 
executable instructions to a cause a server computer to 
perform a method comprising: 

creating a certificate in response to receiving a certificate so 

request from an authenticated first client; 
registering the certificate as held by the first client; 
transmitting the certificate to the first client; 
logging a digest received from the first client using a first 

time stamp; 

comparing a digest received from a second cUent with the 
logged digest; and 

transmitting a comparison result message to the second 
chent. 

8. The computer-readable medium of claim 7, further 
comprising the steps of: 

receiving a notification that the second client is using data 
associated with the logged digest inappropriately based 
on a policy level specified in the certificate; and 

transmitting a notification of inappropriate use to the first 
client 
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9. The computer-readable medium of daun 7, further 
comprising the steps of: 

registering the second client as having data associated 

with the logged digest; 
logging an update digest received firom the first client 

using a second time stamp; 
returning an update receipt to the first client; and 
notifying the second client of that the data associated with 
the logged digest has been updated. 

10. The computer-readable medium of claim 7, further 
comprising the steps of: 

transmitting a request for payment to the second client; 
receiving payment from the second client; and 
transmitting a key to unlock data associated with the 
logged digest. 

11. A computer-readable medium having computer- 
executable instructions to a cause a client computer to 
perform a method comprising: 

transmitting a certificate request to a server; 
receiving a certificate from the server; 
generating a digest from the certificate combined with a 

distribution unit usmg a hashing algorithm; 
transmitting the digest to the server; and 
receiving a time stamped confirmation message for the 
digest from the server: 

12. The computer-readable medium U, wherein the 
method further comprises receiving an inappropriate use 
message from tbe server. 

13. The computer-readable medium of claim 11, wherein 
the method further comprises: 

generating an update digest from the certificate and an 

updated version of the distribution unit; 
transmitting the update digest to the server; and 
receiving a time stamped confirmation message for the 
update digest from the server. 

14. A computer-readable medium having conq)uter- 
executable instructions to a cause a client computer to 
perform a method comprising: 

generating a digest from a certificate and a distribution 

unit received by the client; 
transmitting the digest to a server; 
receiving a message from the server as a result of trans- 
mitting the digest; 
determining that data in the distribution unit is being used 
inappropriately based on a policy level specified in the 
certificate; 

alerting a user of the client computer of the inappropriate 
use; and 

transmitting a notification message to the server regarding 
the inappropriate use if the user continues the use, 

15. The computer-readable medium of claim 14, wherein 
the method further comprises receiving an update notifica- 
tion fi^om the server that data in the distribution unit has been 
updated. 

16. The computer-readable medium of clahn 14, wherein 
the method further comprises: 

receiving a payment request from the server; 
transmitting a payment to the server; and 
receiving a key from the server to unlock data in the 
distribution unit. 
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17. A computer system comprising: 
a processing unit; 

a system memory coupled to the processing unit througb 

a system bus; 

a computer-readable medium coupled to the processing 

unit through a system bus; and 
a client application executed from the computer-readable 

medium by the processing unit, wherein the client 

appHcation comprises: 

a validation module that causes the processing unit to 
generate a digest from an authenticated file received 
by the processing unit, to submit the digest to a 
server, and to receive a message from the server as 
a result of submitting the digest; 

wherein the validation module further causes the pro- 
cessing unit to detect inappropriate use of data in the 
authenticated file based on a policy level specified in 
a certificate in the authenticated file, to notify a user 
of the computer of the inappropriate use, and to 
submit ao inappropriate use message to the server if 
the use continues. 

18. The computer system of claim 17, wherein the vali- 
dation module further causes the processing unit to receive 
an update notification from the server. 

19. The computer system of claim 17, wherein the vali- 
dation module fiirther causes the processing unit to receive 
a payment request from the server, to submit payment to the 
server in response to the payment request, and to receive a 
key to unlock data in the authenticated file. 

20. The computer system of claim 17, wherein the client 
application further comprises: 

an authentication module that causes the processing unit 
to create a request for a certificate, to submit the request 
to a server, to combine a distribution unit and the 
certificate received from the server into an authenti- 
cated file, to generate a digest from the authenticated 
file using a hashing algorithm, to submit the digest to 
the server, and to receive a confirmation message from 
the server. 

21. The computer system of claim 20, wherein the authen- 
tication module further causes the processing unit to com- 
bine an updated version of the distribution unit and the 
certificate into an update authenticated file, to generate a 
digest from the update authenticated file using the hashing 
algorithm, to submit the update digest to the server, and to 
receive an update confirmation message from the server. 

22. The computer system of claim 20, wherein the authen- 
tication module further causes the processing unit to receive 
an inappropriate use notification message from the server. 

23. A computer system comprising: 
a processing unit; 

a system memory coupled to the processing unit through 
a system bus; 

a computer-readable medium coupled to the processing 55 

unit through a system bus; and 
a client application executed from the computer-readable 

medium by the processing imit, wherein the client 

application comprises: 
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24. The computer system of claim 23, wherein the authen- 
tication module further causes the processing unit to com- 
bine an updated version of the distribution unit and the 
certificate into an update authenticated file, to generate an 

^ digest from the update authenticated file using the hashing 
algorithm, to submit the update digest to the seiver, and to 
receive an update confirmation message from the server. 

25. The computer system of claim 23, wherein the authen- 
jo tication modiile further causes the processing unit to receive 

an inappropriate use notification message from the server. 

26. A computer system comprising: 
a processing unit; 

a system memory coupled to the processing unit through 
a system bus; 

a computer-readable medium coupled to the processing 

unit through a system bus; and 
a client application executed from the computer-readable 
medium by the processing unit, wherein the client 

appUcation comprises: 

a security module that causes the processing unit to 
detect inappropriate use of data in an authenticated 
file based on a policy level specified in a certificate 
in the authenticated file, to notify a user of the 
computer of the inappropriate use, and to submit an 
inappropriate use message to a server if the use 
continues. 

27. A computer system comprising: 
a processing unit; 

a system memory coupled to the processing unit through 
a system bus; 

a computer-readable medium coupled to the processing 

unit through a system bus; and 
a server apphcation executed from the computer-readable 
medium by the processing unit, wherein the server 
application comprises: 

a certificate module that causes the processing unit to 
create a certificate in response to receiving a certifi- 
cate request from an authenticated requesting client, 
to register the certificate, and to transmit the certifi- 
cate to the requesting client; 
a registration module that causes the processing unit to 
log a digest with a time stamp in response to receiv- 
ing the digest, and to return a confirmation message; 
and 

a security module that causes the processing unit to 
compare a digest received by the processing unit 
against the logged digest, and to transmit a message 
as a result of the comparison. 
28. The computer system of claim 27, wherein the secu- 
rity module causes the processing unit to receive, from a 
client, an inappropriate use message based on a policy level 
specified in the certificate and 
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to notify the client that 

an authentication module diat causes the processing 60 requested the certificate of the inappropriate use. 
unit to create a request for a certificate, to submit the 29. The computer system of claim 27, wherein the mes- 
request to a server, to combine a distribution unit and sage transmitted by the security module as a result of the 
the certificate received from the server into an comparison is a payment request, and the security module 
authenticated file, to generate a digest from the fi^rther causes the processing unit to receive a payment and 
authenticated file, to submit the digest to the server, 65 to transmit a key in response to receiving the payment 
^"'^ to receive a confirmation message from the 

* « 4i « « 



and 
server. 
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